Information security technology has become the "fad diet" of the IT industry.
Normally, I dislike arguing by analogy, but the similarities between the diet industry and the information security market are unmistakable.
Americans spend billions of dollars annually on pseudo-scientific patent medicines that claim "just take this and you'll lose weight!" when in fact the only way to lose weight is to let the 2nd law of thermodynamics do its magic: if you burn more than you take in, you'll get smaller.
We all know the two magic cures: diet and exercise, but somehow those are the last resort, instead of the first.
Information security is the same way: If you reduce the number of potential lines of attack against your systems, you'll be harder to attack.
If the number of potential lines of attack is equal to zero, you'll be impossible to attack.
But building low-complexity systems that are secure by design is the last resort, instead of the first. And the proof is in the pudding.
Information Security Awareness and Privacy Training Programs
Provide better protection for assets by
Helping employees recognize and respond appropriately to real and potential security concerns.
Providing fresh, updated information to keep your staff current on new risks and what to do about them.
Making employees, contractors, and business partners aware that the data on their computers and mobile devices (PDAs, thumb drives, smart phones, etc.) are valuable and vulnerable.
Improve morale by
Providing information that is personally useful to your staff, such as how to avoid scams, fraud, phishing, and ID theft. Information on how to protect home PCs and how to use e-mail and the Internet safely lets employees know that your organization cares about them. Building good computing habits at home is as important as building those behaviors at work. Secure computing habits will transfer across environments.
Rewarding good security behaviors and those who stand up for security. Recognition for doing something well boosts morale.
Save money by
Reducing the number and extent of information security breaches. The sooner a breach is identified, the lower the cost of addressing it will be. Direct costs (e.g., cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance) and indirect costs (e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes) will decrease.
Reducing systems' costs by allowing control measures to be designed into systems rather than adding them to installed systems. (It is significantly more expensive to retrofit a control than to design it into an application or system.)
Providing savings through coordination and measurement of all security awareness, training, and educational activities while reducing duplication of efforts.
Give your organization a competitive advantage and protect and enhance your organization's reputation and brand by
Showing customers that your organization cares about protecting their information. Think of the good will that Johnson and Johnson received when management made a decision to protect customers by pulling Tylenol off the shelves when some packages were found to contain poison.
Preventing the negative press that can result from security breaches.
Protect customer information and corporate information by
Building a culture of security competence. Motivate employees, contractors, and consultants to improve their behaviors and incorporate security concerns into their decision making.
Malware writers are increasingly targeting corporate information.
Reduce the potential for fines and mandatory audits by
Improving overall compliance with your organization's information security policies, procedures, standards, and checklists.
If the FTC finds that a company did not sufficiently protect against a data breach, the FTC can require that company to undergo annual independent security audits for up to 20 years?
Reduce the potential for lawsuits against your organization by
Demonstrating a corporate concern for security and a process for ensuring that the workforce will provide adequate protection for information assets entrusted to its care.
Reduce C-level executives' exposure to prosecution by
Ensuring that they understand that they are legally responsible for the integrity of the organization's information assets.
Demonstrating management's commitment to secure information resources.
Allowing your organization to comply with regulations that require information security awareness and privacy training (such as the Federal Information Security Management Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act)
Facilitate disciplinary or legal action against those who don't comply with information security rules by
Documenting the requirements and individual's acknowledgment of your organization's security policies.